Security researchers have demonstrated a multimedia security flaw in the Second Life virtual reality site, which...
allows attackers to steal money.
Charlie Miller, a security analyst at Independent Security Evaluators, and security expert Dino Dai Zovi decided to investigate the security of online games.
This resulted in an exploit for Linden-owned Second Life, that makes any player affected hand the attacker their Linden dollars and yell "I got hacked!".
In other words, it is possible to exploit a player to steal Linden dollars, and then cash them out for real US dollars.
All the victim has to do is have video enabled and enter a piece of land owned by the attacker.
The actual vulnerability lies in the third party QuickTime Player made by Apple. A vulnerability was announced last November in the way QuickTime handles Real Time Streaming Protocol (RTSP) media tunnelling responses.
Second Life allows players to embed media files in Second Life objects, and uses QuickTime to handle all video rendering. It is possible to have these media elements constantly playing.
If a Second Life avatar walks onto a piece of land that contains an embedded malicious QuickTime file, they can be exploited.
Once the malicious file has been viewed by the victim, the attacker has complete control over the victim's computer - and Second Life avatar. At this point the exploit could make the avatar do anything they like.
This particular exploit can freeze the avatar and makes them send the attacker's avatar 12 Linden dollars and shout "I got hacked".
The hack demonstrated by the researchers sees victim Sussy McBride wandering along and minding her own business, until she stumbles upon a piece of land with a small purple box (the exploit). Very shortly after, she freezes and sends attacker Pwned Naglo 12 Linden dollars and yells that she was hacked.
The researchers say an exploit could be delivered in multiple ways, by looking at a shirt that a character is wearing, for instance, or by a character whispering something to another character.
It is believed the latest updated version of QuickTime blocks the security hole demonstrated by the researchers.